Java tutorial
/* * To change this license header, choose License Headers in Project Properties. * To change this template file, choose Tools | Templates * and open the template in the editor. */ package com.tamnd.app.config.security; import com.tamnd.app.common.Common; import com.tamnd.app.filters.CsrfHeaderFilter; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.security.web.csrf.CsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; /** * * @author tamnd */ @Configuration @EnableWebSecurity public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private AuthSuccess authSuccess; @Autowired private AuthFailure authFailure; @Autowired private EntryPointUnauthorizeHandler unauthorizeHandler; @Autowired private EntryPointAuthenticationHandler authorizeHandler; @Autowired private LogoutSuccessHandler logoutSuccess; @Autowired private UserDetailServiceImpl userDetailService; @Autowired public void configAuthBuilder(AuthenticationManagerBuilder builder) throws Exception { builder.userDetailsService(userDetailService).passwordEncoder(passwordEncoder()); } // @Override // public void configure(WebSecurity web) throws Exception { // web.ignoring() // .antMatchers("/static/**", "/favicon.ico", "/app/**"); // } @Override protected void configure(HttpSecurity http) throws Exception { http // .httpBasic() // .authenticationEntryPoint(authorizeHandler) // .and() .authorizeRequests().antMatchers("/static/**", "/favicon.ico", "/app/**").permitAll() .antMatchers("/", "/test").permitAll().antMatchers(HttpMethod.POST, "/rest/accounts").permitAll() .anyRequest().authenticated().and().addFilterAfter(new CsrfHeaderFilter(), CsrfFilter.class) .formLogin().defaultSuccessUrl(Common.DEFAULT_URL).loginProcessingUrl("/login") .loginPage(Common.LOGIN_URL).successHandler(authSuccess).failureHandler(authFailure).permitAll() .and().httpBasic().and().logout().logoutSuccessHandler(logoutSuccess).deleteCookies("JSESSIONID") .invalidateHttpSession(true).permitAll().and() // .csrf().disable() .csrf().csrfTokenRepository(csrfTokenRepository()).and().exceptionHandling() .authenticationEntryPoint(unauthorizeHandler).and().sessionManagement() .invalidSessionUrl(Common.DEFAULT_URL).maximumSessions(1); //Enable HTTPS Channel // if ("true".equals(System.getProperty("httpsOnly"))) { // http.requiresChannel().anyRequest().requiresSecure(); // } } private CsrfTokenRepository csrfTokenRepository() { HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); repository.setHeaderName("X-XSRF-TOKEN"); return repository; } @Bean public PasswordEncoder passwordEncoder() { PasswordEncoder encoder = new BCryptPasswordEncoder(); return encoder; } }